GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-09-17 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-09-17 13:52:32 +0100
commit: 70b18066d3921277861e98902c9cf41a10ac6898 (patch)
tree: 0bfe9fa4fee0c290b5ff1bc1c2977048beecd37b /monitor_wrap.c
parent: 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
1 files changed, 46 insertions, 1 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e6217b3d4..71e7c08e2 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
+OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
+        Buffer m;
+        OM_uint32 major;
+        u_int len;
+        buffer_init(&m);
+        buffer_put_string(&m, data->value, data->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
+        major = buffer_get_int(&m);
+        hash->value = buffer_get_string(&m, &len);
+        hash->length = len;
+        buffer_free(&m);
+        return(major);
+}
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-09-17 13:52:32 +0100
commit	70b18066d3921277861e98902c9cf41a10ac6898 (patch)
tree	0bfe9fa4fee0c290b5ff1bc1c2977048beecd37b /monitor_wrap.c
parent	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index e6217b3d4..71e7c08e2 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1069	}	1069	}
1070		1070
1071	int	1071	int
1072	mm_ssh_gssapi_userok(char *user)	1072	mm_ssh_gssapi_userok(char user, struct passwd pw)
1073	{	1073	{
1074	Buffer m;	1074	Buffer m;
1075	int authenticated = 0;	1075	int authenticated = 0;
@@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user)
1086	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1086	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1087	return (authenticated);	1087	return (authenticated);
1088	}	1088	}
		1089
		1090	OM_uint32
		1091	mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
		1092	{
		1093	Buffer m;
		1094	OM_uint32 major;
		1095	u_int len;
		1096
		1097	buffer_init(&m);
		1098	buffer_put_string(&m, data->value, data->length);
		1099
		1100	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
		1101	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
		1102
		1103	major = buffer_get_int(&m);
		1104	hash->value = buffer_get_string(&m, &len);
		1105	hash->length = len;
		1106
		1107	buffer_free(&m);
		1108
		1109	return(major);
		1110	}
		1111
		1112	int
		1113	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		1114	{
		1115	Buffer m;
		1116	int ok;
		1117
		1118	buffer_init(&m);
		1119
		1120	buffer_put_cstring(&m, store->filename ? store->filename : "");
		1121	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		1122	buffer_put_cstring(&m, store->envval ? store->envval : "");
		1123
		1124	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		1125	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1126
		1127	ok = buffer_get_int(&m);
		1128
		1129	buffer_free(&m);
		1130
		1131	return (ok);
		1132	}
		1133
1089	#endif /* GSSAPI */	1134	#endif /* GSSAPI */
1090		1135